ITV News has been given unique access to perform a detailed analysis of information seized from private investigator Steve Whittamore in 2003 by investigators acting for the Information Commissioner’s Office. Mr Whittamore specialised in obtaining information on behalf of clients in the media.
This information detailed a substantial market in obtaining data about celebrities, politicians and ordinary members of the public, in fact anyone who the media took an interest in. There are over seventeen thousand request detailed in the books, and around four and a half thousand people targeted.
Some of this information appears to have been obtained legitimately and is in any case publicly available from the Electoral Register, Companies House and other legitimate sources.
Other information appears to have been obtained illegally from organisations who have either been tricked into handing it over, or from a corrupt source within the organisation. The organisations concerned are the Police, the DVLA, BT, and mobile network providers.
We’ve identified seven categories of information obtained by Mr Whittamore where breaches of the Data Protection act may have been committed.
Ex-directory telephone numbers
Lists of Friends and Family numbers for BT customers
Criminal Records Checks carried out on the Police National Computer
Information held by the DVLA - names and addresses of drivers obtained from their vehicle number plates
Mobile conversions – where a name and address is obtained from a mobile phone number
Landline conversions – where a name and address is obtained from a landline number
Blags – where information has been obtained from an organisation by deception
Our calculations show that large amounts of money have been spent by news organisations on potentially illegal acts, and that the number of requests for such acts are in some cases well in excess of figures previously released by the Information Commissioner’s Office.
Many of the people targeted by these data breaches were targeted many times, and the vast majority of them remain completely unaware that their data was illegally accessed.
THE LEGAL SITUATION
In each of the seven cases above a breach of Section 55 of the Data Protection Act has occurred if the information has been obtained from an organisation trusted to hold it (a “Data Controller” in the jargon) either by deception or corruption.
In Steve Whittamore’s case ITV News understands that:
Information from BT was obtained by an associate who had an identification number posing as a BT engineer
Information from mobile phone companies was obtained either through two assciates, one who used blagging to obtain the details, and another who is suspected of having a corrupt source within one or more mobile networks
Information from the Police and DVLA was obtained via corrupt, paid sources within those organisations
Blags were mainly carried out by Steve Whittamore himself using a prepared pretext depending on the type of information being blagged
However breaches of Section 55 of the Data Protection Act can be justified if the person concerned can prove that they were acting in the public interest, or if they acted in the reasonable belief that the Data Controller would have given them the information in any case, had they known the use to which it was being put.
WHAT WAS FOUND IN STEVE WHITTAMORE’S OFFICE
1) THE INVOICES
Several boxes of invoices were seized, setting out money spent by various news organisations on Mr Whittamore’s services. The invoices, which are not necessarily exhaustive, detail the period from 1995 to 2003. In most cases they do not make explicit what services were requested, but they indicate, at least in part, how much money Mr Whittamore was making over this period and who was paying him.
It’s important to bear in mind that the invoices do not indicate illegal activity as such, and it’s not possible from examining the invoices to say with any degree of certainty what money was spent on potentially illegal activity, and what was spent on requests where the data requested is available from a legitimate source.
Therefore the information from the invoices was not used by us to help calculate the amount of illicit enquiries Mr Whittamore was hired to carry out.
2) THE COLOURED BOOKS
In addition to the invoices, four coloured A4 books were seized, in which Mr Whittamore wrote down a series of orders which he received during the period from early 2000 to March 2003.
The Red book covered mainly Trinity Mirror publications
The Blue book covered mainly News International
The Yellow and Green books covered Associated Newspapers, Northern and Shell newspapers and others
The books go into far more detail than the invoices, and they record who made the request, what they asked for, and who the target of the request was. They also contain reams of personal data uncovered as a result of Mr Whittamore’s illicit enquiries.
From our analysis of the books ITV News has been able to work out which media organisations made requests for information which appears to have been obtained illegally – the seven categories set out above, and how many requests each newspaper made.
In many cases the books record the name of the requesting journalist, but not the organisation they were working for. By carefully working out which journalist worked for which paper during this period we’ve been able to work out the number of requests on the 7 categories for each newspaper covered in the books.
We have not counted searches where the information appears to have been obtained legally, or is available from legitimate sources.
Previous figures published by the ICO in their 2006 report “” are in some cases well below our figures. We believe this is because the ICO has failed to count requests where no paper is explicitly named in the books.
By cross referencing this with a price list for Mr Whittamore’s services we’ve been able to work out how much each paper was spending on commissioning breaches of the data Protection Act. In cases where the pricelist has shown varying prices for a service we’ve based out calculations on an average figure.
We’ve had our work on Steve Whittamore’s books independently audited by , and where they have recommended corrections we have done so. Additionally we’ve excluded journalists who appear to have been working for several newspapers from our analysis.
The Information Commissioner’s Office estimates there are around four thousand people whose personal details have been recorded in Steve Whittamore’s notebooks. Some are well known people in public life and celebrities, but the majority appear to be ordinary people who have been briefly of interest to journalists following a story.
It’s not clear if any of the newspapers concerned still hold phone numbers and other data obtained from Steve Whittamore, and whether the details are held on their computer systems or merely in the notebooks of individual journalists.